Workaround for disabled CORS - need help with the last step

[Marek Číž]

Hi,

I'm trying to introduce Swagger UI in our company, but since it would be running on a different server than our AppServers, I'd need to enable CORS on them.

But since we have 100+ servers, our Infra isn't very happy about it (about enabling CORS).

So I was trying to create some workaround and I think I found one, but I'd need help with the last step.

Using Fiddler I was able to create a proxy with a custom rule that headers Access-Control-Allow-Origin/Methods/Headers will be added:

static function OnBeforeResponse(oSession: Session) {

oSession.oResponse["Access-Control-Allow-Origin"] = "*";

oSession.oResponse["Access-Control-Allow-Methods"] = "GET, POST, DELETE, PUT";

oSession.oResponse["Access-Control-Allow-Headers"] = "Content-Type, x-usercontext, x-applicationname";

}

When this proxy and the rule are enabled, Swagger UI is working as expected.

When I remove this rule and leave the proxy enabled, I'll get this error message:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource...

So from my point of view, it's clear that's not working because of disabled CORS - server isn't returning those headers and therefore Swagger can't process it

Am I right?

So I was trying to add this to the shred.bundle.js file, to the function where the Response object is constructed:

response._setHeader.call(this,"Access-Control-Allow-Origin", "*");

response._setHeader.call(this,"Access-Control-Allow-Methods","GET, POST, DELETE, PUT");

response._setHeader.call(this,"Access-Control-Allow-Headers","Content-Type, x-usercontext, x-applicationName");

Although I was able to see those 3 headers in the SwaggerUI, I didn't receive any response body, HTTP code nor any other expected header.

I tried to debug and amend the script, but none of my attempts were successful, because I was always receiving empty response with HTTP status code 0.

So my questions are following:

1. Is there a way where I can add those 3 headers to the response before the response is being processed?

2. Would removing Origin and Referer request header help me? If yes, where can I amend the script so it wouldn't be adding them to the request?

3. Can I force Swagger to stop requiring those 3 headers?

I know those are quite unusual questions and it's directly against CORS settings/Same Origin Policy, but any idea, any help would really help me.

Thanks in advance

Regards,

Marek

[Josh Ponelat]

Hi Marek,

So CORS generally gives me a headache, but I've been working on it myself a little so lets see..

First off by 'shred', does this imply that your proxy is a node.js server? It looks javascript-like,

If so, there is a package dedicated to CORS that helps... its middleware for connect/express... simply called 'cors'

--
You received this message because you are subscribed to the Google Groups "Swagger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Josh Ponelat]

One of the issues I ran into is the little-known OPTIONS, which is part of the pre-flight request with CORS... the npm module 'cors' handles that nicely :D

[Marek Číž]

Hi Josh,

no, I'm not using node.js, I tried that proxy (using Fiddler so it's Fiddler native proxy) just to check if removing/adding those headers works.

I was just wondering if it's possible to add those 3 headers mentioned above to the incoming response message from my application server.

The request from Swagger UI was processed on this application server, but we don't have CORS enabled there.

So I have to add those headers to the response before it's returned to Swagger.

Is it technically possible?

Thanks,

Marek

Dne pondělí 22. června 2015 16:05:50 UTC+2 Josh Ponelat napsal(a):

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Josh Ponelat]

I don't fully understand where the injection of the headers is to take place.

If its within the context of the browser, then no it won't be able to circumvent the CORS restrictions.

You would need a proxy outside of the browser.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

[Marek Číž]

Yes, I wanted it within the context of the browser, so it won't require any additional set up for my colleagues, so I was afraid it won't be possible.

What about my 2 other questions from the initial post?

Would it help if I remove headers Origin and Referer headers from requests?

Or can I somehow customize Swagger so it won't require Access-Control-Allow headers?

Thanks,

Marek

Dne pondělí 22. června 2015 18:45:32 UTC+2 Josh Ponelat napsal(a):

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Josh Ponelat]

Hi,

I'm afraid it won't matter what we do on the client side, as long as the server and client are on different domains, the browser will throw up CORS issues.

CORS would be true of any browser-client that wishes to access the server's API.

This has nothing to do with swagger and is all about the browser's inbuilt security.

Perhaps you can advise your colleagues of this, if they want the API to be accessible from the browser.

OR you can run a local proxy, one that swagger-ui uses (instead of going directly to the API).

The only way around CORS is the to set the right headers (like access-control-* ) from the server OR use a proxy.
And that proxy obviously cannot be simply a client inside the browser.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

[Marek Číž]

Hey Josh,

thanks for this explanation.

Based on your last comment I started looking into browser's security settings and I found this simple plugin for Chrome, which works perfectly for me:

https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi

Once I installed that and configured the Url, Swagger started working as expected even though my server and browser are on different domains and different ports.

Thanks for your help, I really appreciate it

Regards,

Marek

Dne úterý 23. června 2015 10:43:44 UTC+2 Josh Ponelat napsal(a):

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggersocket+unsub...@googlegroups.com.

[Josh Ponelat]

You're welcome!
That's an interesting plugin, thanks for sharing it here.

It might make allow easier development, although it would only be accessible from the browser that has it installed.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Swagger" group.

To unsubscribe from this group and stop receiving emails from it, send an email to swagger-swaggers...@googlegroups.com.